Ha! Check out the author for the Ferruh interview

I expect writeups from all of you! Congrats! =)

I <3 JOOMLA (and Codeigniter)


gimme gimme

Testing a /dev/tcp version atm that will send goodness over the wire in *nix =)

So, metaphish uses this functionality only with javascript. I believe Dave Kennedy will be implementing into SET (the Social Engineering Toolkit) soon =)

So many ways to trick the user =(

I used to love Pandora untill i found Grooveshark

Hey kriscamaro68,

The GSEC material is much harder than the Sec+. Also it is such a wide sampling of security topics that you do need the courseware from the class to pass. This is one of few SANS tests that i would say this for, but feel that the sheer amount of info in the GSEC makes it so.

Spiderlabs (trustwave's hackers) has a radio mix off of itunes, really good stuff:

http://itunes.apple.com/us/podcast/spiderlabs-radio/id300567984

exactly... once you find your LFI you can use a bash script with curl to iterate through this list and download all files it can access.

Good times.

thanks Anquilas,

Correct, any server side code that will read files on the webserver and display them is an LFI.

The list contains the juicy stuff you want to get when you compromise a server this way.

It also serves as just a nice list to get when you pop a box in general =)

Below is a link to my favorite LFI list. This list is a great resource when you finally get "in" and dont just want to settle for etc/passwd.

Check it out:

http://pastie.org/840199

For physical SE this is quite controversial, and i dont practice it personally, but i know people who needed more SE cajonesand practiced reflective SE at ponzi-scheme meetups, scientology recruitments, local debate clubs, auctions, etc.

Just make sure your actions do not hurt anyone (monetarily,physically, and emotionally) ...

I would def recommend Chris Nickerson's old presentation for OWASP or his new one from BruCON.

Chris, Ryan, and their team is world renowned for physical security, social engineering, and general bad ass Red Team testing.

http://video.google.com/videoplay?docid=-1638710543904774703#

http://vimeo.com/7141030

http://www.youtube.com/watch?v=9pKUEs9mNUU

With the incorporation of Burp Suite Professional into our audit processes, we discovered that there was not an easy method to extract results from Burp’s session file without having to manually re-run Burp.

In order to automate this process, we have developed a standalone Python script to process Burp’s session files into XML, and have released it under the GPLv3 License here

burp2xml.py

XML will allow you to pull out all types of useful data and feed it to other tools or make scripting an output report much easier. We will be blogging about tips to use this pretty soon, let us know what you think. 

Dieter,

To specifically answer your question, yes i think a write-up on working your way through the Webgoat vulnerabilities would be useful to many new comers to the site, even if it's just your experiences.

Plus something i know for a fact is most people learn well by practical exposure, and the best way to retain the knowledge is teaching it to others =)